Open Source Myths: Security25 Feb 2007
Today's open-source myth: Open-source software is more sucure
Everyone can see the source code of open-source software. Thousads eyes can look for a potential security problems. It must be more secure than a software that is closed and nobody can see the sources. Right? No, not reealy. It is right that thousands eyes can easily look for vulnerabilities in the code. Yeah, thousands can, but how many really do? And what are the motivations behind them?
Open-source folk is usually focused on the functionality of the software. If someting does not work, it is detected immediatelly and also fixed by people that are bothered enough by that. But what about security bugs? The problem with security bugs is that they are usually fixed really easily, but it is very difficult to detect that they exist in the first place. To find a vulnerability in a software usually takes a lot of time and skill. Someone who is going to seach for security holes must be really well motivated to do it.
Commercial companies motivates their employees by paying them. And the companies themselves are motivated by the market and the negative reputation that will affect their profits if a security hole is exploited. But what motivates open-source folk?
I think that some high profile open-source packages can be more secure than commercial ones. The reason may be that lots of commercial companies use these packages and it got some commercial attention. But the statement that open-source in general is more secure than commercial software is not entirelly true.